9f78fec897a3efa48c3f08a346ce241dbb29d40ddcb1926a401ea89bb9908132

Analysis

max time kernel
91s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/vcredist_x86.exe
Size

4.0MB
MD5

5689d43c3b201dd3810fa3bba4a6476a
SHA1

6939100e397cef26ec22e95e53fcd9fc979b7bc9
SHA256

41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b
SHA512

4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b
SSDEEP

49152:DQC7p7i0AY9PE1UJEfcnKiJ/K7+RIaCSi3haenvUvwwZDfimxQ02BhoZGxaJq8QQ:DLp7ilY9CQEcKz+kSixJvzwZeK2ggYK4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	install.exe

Loads dropped DLL 1 IoCs

pid	Process
1448	install.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1448	1220	vcredist_x86.exe	84
PID 1220 wrote to memory of 1448	1220	vcredist_x86.exe	84
PID 1220 wrote to memory of 1448	1220	vcredist_x86.exe	84

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vcredist_x86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220
- \??\c:\867349fa7719202a68410f50b5676b\install.exe
  c:\867349fa7719202a68410f50b5676b\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\867349fa7719202a68410f50b5676b\install.exe

Filesize
549KB

MD5
33c9213ff5849ef7346799cae4d8ac80

SHA1
5421169811570171e9d2d0a1cdca9665273e7b59

SHA256
3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff

SHA512
da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\eula.1033.txt

Filesize
9KB

MD5
162fc8231b1bd62f1d24024bb70140d5

SHA1
7fa4601390f1a69b4824ee1334bee772c2941a24

SHA256
c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b

SHA512
a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\install.ini

Filesize
844B

MD5
5feaa6a36fea7dfdb88c18d69ba6d6a9

SHA1
7afd91a7b046d68b6ee9fd367bcd7a4fec546216

SHA256
67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc

SHA512
6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\install.res.1033.dll

Filesize
89KB

MD5
8e97ea8a1ed69806232e8743f9a28706

SHA1
e911d3802e64f9be0e1ac68865bbcc92624d6a1f

SHA256
2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100

SHA512
aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\vc_red.msi

Filesize
227KB

MD5
6e17361f8e53b47656bcf0ed90ade095

SHA1
bce290a700e31579356f7122fb38ce3be452628a

SHA256
8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96

SHA512
a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

Download Submit
\??\c:\867349fa7719202a68410f50b5676b\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/1448-33-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/1448-37-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download